LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the two main access control methods and policies?

Two methods — DAC (the resource owner grants access) vs MAC (the system enforces access from fixed security labels) — and two policies — Open (allow unless denied) vs Closed (deny unless allowed).

The method answers who decides who gets access; the policy answers what the default is when nothing explicit says yes or no.

Methods — who controls access:

Method Who decides Trade-off
Discretionary Access Control (DAC) The owner of each resource grants/revokes access (e.g. Unix file permissions, "share this doc") Flexible and convenient, but an owner can leak access — no central guarantee
Mandatory Access Control (MAC) The system enforces a central policy from security labels (e.g. Secret/Top-Secret); even the owner can't override it Very strict and leak-resistant, but rigid — used in military/government

Policies — the default answer:

Policy Default You then... Risk
Open Policy Allow all explicitly deny specific access Anything you forget to deny stays open — dangerous
Closed Policy Deny all explicitly grant specific access Anything you forget to grant is simply blocked — fails safe

Best practice: Use a Closed Policy (deny by default, grant only what's explicitly needed). This is the principle of least privilege: a forgotten rule then fails closed (blocked) instead of open (exposed).

Go deeper:

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026